1117157 - soeasy.sodexo.be is TLS 1.1/1.2 intolerant and is RC4/Export Suites only

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect)

Description

[nightly-win.maricau]

Attachment: ICON--firefox64-Linux-sodexo--secured.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 2014112600

Steps to reproduce:

Using firefox 037.01a on WIN7 i'm accessing this encrypted page:
http://soeasy.sodexo.be/ServiceVouchers/
(Which is automaticly redirected to the https://)

or directly the secured page:
https://soeasy.sodexo.be/ServiceVouchers/


Actual results:

no access and it says : Your connection to this site is not encrypted.

What's happening ?


Expected results:

Normal access to the page like with other browser on same OS or others too (firefox& konqueror on opensuse 13.2 x64)

Comment 1

[nightly-win.maricau]

Attachment: ICON--firefox64-Windows7-sodexo--secured.png

Comment 2

[nightly-win.maricau]

Attachment: Page Info--firefox64-Linux--no OWNERSHIPINFORMATION.png

Comment 3

[nightly-win.maricau]

Attachment: Page Info--firefox64-WIN7--no OWNERSHIPINFORMATION.png

Comment 4

[nightly-win.maricau]

Attachment: ICON--konqueror-Linux-sodexo--secured.png

Comment 5

[Dave Garrett]

The server's SSL/TLS configuration is severely broken.
https://www.ssllabs.com/ssltest/analyze.html?d=soeasy.sodexo.be

It is TLS version 1.1+ intolerant and only use RC4 or EXPORT ciphers. SSL 3 is still supported and insecure renegotiation is supported.

This might be a dupe of bug 1116891, however if I test it in a new profile in Aurora it works. It fails to load in a new profile in Nightly.

Comment 6

[nightly-win.maricau]

Hi Dave Garrett,

I think you're partly right because nightly 37.0a1 have the same result to access these sites from the bug you've mentioned https://bugzilla.mozilla.org/show_bug.cgi?id=1116891

https://airportwifi.com/ 
https://cart.pcpitstop.com/ 
https://books.wwnorton.com/

The result is like the one i have when accessing https://soeasy.sodexo.be/ServiceVouchers/
But i don't know if it's the same reason.
But the bug 1116891 also affects nighly 37.0a1 x64 on Windows 7 !

The site is not mine thus i can't make any changes to the server.  What about the ssl/TLS configuration of the server i can't do anything only informing the company that is SSL/TLS configuration is severely broken.

Comment 7

[Masatoshi Kimura [:emk]]

(In reply to nightly-win.maricau from comment #6)
> The site is not mine thus i can't make any changes to the server.  What
> about the ssl/TLS configuration of the server i can't do anything only
> informing the company that is SSL/TLS configuration is severely broken.

Your current workaround is adding "soeasy.sodexo.be" to "security.tls.insecure_fallback_hosts" from about:config. We will add the domain to the default whitelist if the site is not fixed until we ship Firefox 37.

Comment 8

[Yuhong Bao]

(In reply to Dave Garrett from comment #5)
> The server's SSL/TLS configuration is severely broken.
> https://www.ssllabs.com/ssltest/analyze.html?d=soeasy.sodexo.be
> 
> It is TLS version 1.1+ intolerant and only use RC4 or EXPORT ciphers. SSL 3
> is still supported and insecure renegotiation is supported.
> 
> This might be a dupe of bug 1116891, however if I test it in a new profile
> in Aurora it works. It fails to load in a new profile in Nightly.

Ah, the server is the obsolete Microsoft-IIS/5.0.

Comment 9

[Yuhong Bao]

Though even IIS 5.0 is not version intolerant so it is probably a load balancer.

Comment 10

[:Cykesiopka]

(Changing summary for easier tracking)

Comment 11

[:Cykesiopka]

Fixed.